Certificate Transparency Search API discovery

[erinysong]

Issue description

Certificate Transparency (CT) is "an ecosystem that makes the issuance of website certificates transparent and verifiable". It's an internet security protocol where certificates are logged centrally as they are issued by a certificate authority (CA), and modern browsers only trust CAs that log certificates. This allows the public and site operators to see what certificates a CA has issued for a given hostname.

The .gov team has access to a CT search API. With it, we can search a given domain name and pull all certificates (or certain fields in those certificates) across an entire namespace. This is one approach to help us better maintain a ".gov inventory", as required by the DOTGOV Act.

Acceptance criteria

• [ ] Review the CT Search API docs
• [ ] Experiment with CT Search API queries that could be useful to the .gov program or users
  • [ ] Hostnames that have ever had cert
  • [ ] Hostnames with a currently expired cert
• [ ] Produce a findings document indicating how to perform the above queries, based on one Federal Executive domains and one city domain.

Additional context

Note: as a research ticket, please timebox this effort per the story points.

Links to other issues

No response

[PaulKuykendall]

Per NEW TRIAGE: this is not urgent. We currently subscribe to this, and should log in and get familiar with this.